CryptoPHP is basically a script file placed inside the plugins or themes folder specially in opensource content management system (CMS) to create a back door to manage your website. Imagine you have setup a website for a company who stores very confidential and sensitive information into their website and not being aware about this security hole. This script file resides inside the website and sends information to hackers and do all sorts of things including creating admin user in the background, basically it can take control of your website without your concern. There is a good explanation about cryptoPhp at FOX IT website, I recommend to read. Most of the developers seem to choose opensource system as a cost effective and quick solution for CMS, E-Commerce, CRM etc. I must admit, opensource solutions provide lot of functionality and features out of the box and there are lots of plugins and themes to choose from. These sort of robust features of CMS and E-commerce attracts developers to drive customers towards opensource technology. On the other side, hackers tend to target opensource systems and try to find way to hack into it.
Never download Opensource systems from any other website except their own vendors or publishers. This might put your site on security risk. If you want to download Joomla then you better download it from joomla.org or wordpress from wordpress.org etc.
Recently I have downloaded a theme from NulledListings.com website for WordPress CMS. Fortunately I have installed this in my test server and my security scanner detected a cryptophp file in my WordPress site interestingly it only happened when I installed this theme. My website works fine and fully functional after installing this theme. I did not even notice anything suspicious in my site. My security scanner said “/var/www/test/wp-content/themes/abundance/image/social.png” cryptophp file detected. Now from the path of the file you can see it is an image file, immediately you might think how can an image file contains script! I have checked the downloaded theme in my local pc and I can see the file in the theme folder but windows could not create thumbnail for it since it was not valid image file. See the image below –
I have checked my web server and I found the file in the specific location.
You can see the “social.png” file in the list of files in that location. Lets open the file and see the contents, this is what I found –
You can clearly see the content of the file, it contains php script to create tables and insert data into the database. Basically everytime user loads or visit the website it runs the script and send data to the remote server of the hackers. This is very simple one though I have seen some cryptophp file contains more complex code with many script files located in various locations. So how the file gets executed??
Very Scary!!!
So what is this script file doing, lets do a global search in the website root directory to find the string “social” in any location.
I can see the function.php file contains the social.png file name, lets have a look –
If you scroll down to the bottom of the page, you can see line to include this cryptophp file –
<?php include('images/social.png'); ?>
You should immediately remove this line and save the file. You also need to remove the social.png file from your server to protect your site from hacking.
Enjoy coding!